Women in Cybersecurity: Bringing Balance to the Equation

The world of technology is exciting. And confusing. And dangerous. And full of potential. For women, privacy and security are concepts that go hand in hand. Today’s technology has created new ways for us to protect ourselves and create more of what we want in the world. But it has also opened a Pandora’s box of opportunities for exploitation. This greater vulnerability is not just occurring at the individual level with our personal information on social media and in the cloud. It is also impacting businesses, governmental organizations, national infrastructure, and global economics. Here are a few perspectives and stories from women working to create a more secure world through technology.

Hacking the cybersecurity problem

What is cybersecurity? For some, it means governance and compliance. There’s also application security, penetration testing, infrastructure security, and even security as code. But for Shannon Lietz, DevSecOps Leader at Intuit, it’s simple. “Cybersecurity to me is about chasing away bad guys and adversaries. We’ve focused a lot of our efforts over the last twenty years on compliance and some of those parts of the field. But the biggest needle move is around chasing away adversaries, being adversary-obsessed. Cybersecurity is about making software safe enough for our kids to use in the future. Because otherwise, it’s going away, and I don’t want to see that happen.”

Sometimes that means pretending to be the bad guys (and gals) to find out just how big the gaps are. Shelley Westman, VP of Operations and Strategic Initiatives at IBM, addressed the issue of hacking from a white hat perspective. “There are a lot of ethical hackers whose sole job is to let these companies know about flaws in their system before it becomes public and before significant damage is done. A lot of companies will pay them bounties to do that.”

Judith Germano, Senior Professor and Fellow at NYU, agreed. “We can’t defend our systems if we don’t know what the vulnerabilities are. It’s essential to understand different ways people can get into the system so you can address it as soon as possible.” Penetration testing also makes it possible to identify the type of red flags that signal when an intrusion is in process.

Unique advantages for women in cybersecurity

As hard as it can still be for women to make it in the male-dominated world of IT, being underestimated has its perks. This is especially true when it comes to finding vulnerabilities. At a recent panel discussion at the Hackers on Planet Earth (HOPE) conference, cybersecurity strategist Cindy Cullen told hilarious stories about how her gender provided an edge in breaking into systems. For example, when she visited supposedly secure facilities in the southern U.S., men would hold the door open and she could walk right in—bypassing all kinds of security measures in the process. Walking into a CEO’s office while he was out and leaving her card under the keyboard proved just as easy. No one thought to stop her, because everyone assumed she was harmless.

Another favorite approach to breaking into systems was through good-old-fashioned acting. “I found one of the best ways to do social engineering when I was trying to show organizations that they had weak systems in place. I would call up the admin for senior executives and act like I was going to cry because I was going to lose my job because I did something wrong. I’d beg, ‘Please let me have his password!’ And they would hand it over.”

Debbie Gondek, Senior Vice President of Operational Risk Management at Citi, revealed that not being part of the “boys club” honed her independent-thinking skills. “You get used to being the outsider. The advantage of that position is that it lends itself to naturally having an independent perspective on things. There are certain roles in information security and risk in general where that is an advantage. You’re tasked with looking at something they have been doing forever and asked to find the vulnerabilities in an established process.”

Security is getting harder

While security and privacy might seem like synonyms, in the cyber world they are usually two ends of a seesaw. When security goes up, privacy suffers, and vice versa. Leitz pointed to the GDPR as a case of privacy regulations going too far. “As a security professional hunting down bad guys, having things like GDPR cause us to lose a major source of threat intelligence gives our adversaries an advantage.” Hackers and identity thieves could leverage this newfound privacy as a shield for their nefarious acts. When privacy is excessively protected, “We create an environment where adversaries do things they shouldn’t be able to do. When I can’t look up an IP address properly to see who someone is or where they might be hiding and none of my tools work, that’s a bad day.”

The steep costs of a privacy breach could also create an environment where corporations want to keep their own shortcomings hushed up. Antelada Toledano, Cybersecurity Engineer and Founder of GirlsCanHack, stated her opinion about this lack of transparency. “There’s another thing that is counterproductive. Now corporations take a long time to disclose data breaches. Sometimes, it takes a couple of years. Not everyone admits it right away when they have a data breach that impacted two hundred million credit cards. If you have a law telling you that not only will your reputation be damaged, but they are going to give you a fine of twenty million dollars, I’m worried companies are going to start holding back that kind of information.”

Privacy is becoming harder to find

As a counterpoint to Shannon’s argument, Maria Bisaga, Software Test Engineer at BioFire Diagnostics, stood her ground as a champion for privacy. “Data privacy is the foundation of our democracy and our liberty. Why? Data privacy is rooted in our first and fourth amendments, the right of free speech and right to have our person and property left unbothered. If you’re under surveillance and people know what you’re saying and doing, it affects your relationship with people. It even affects how you question the world.”

Bisaga pointed to the troubling lack of privacy in China’s society as an example of what can happen when this basic human right is eroded. She revealed that in some areas of China, cameras are everywhere, and people must submit to a face recognition scan to even get toilet paper in a public bathroom. The new “social point system” that tracks everything a person says or does is an example of how dystopian the culture has become. “Everything you say and do impacts your points. If your points are too low, there are consequences.” Citizens with low scores may find themselves unable to travel or send their children to a preferred school. In such an environment, it’s hard to believe that anyone feels truly safe.

The cyber future hangs in the balance

Whether trying to get access to data to provide better security or locking it down for more privacy, the entire process is a balancing act with high stakes. Whenever the pendulum swings too far in one direction, a correction is inevitable. Leitz predicted, “There’s going to be a reconciliation.” In the words of Westman, “It’s becoming personal to each of us that our own information is protected.” That’s the one thing everyone can agree on. With women currently holding only 11% of cybersecurity roles, there’s a very real need for more female voices at the table to craft policy and lead innovation. Because when it comes to cybersecurity, it will always be personal.